tuf: add a method to retrieve rekor public keys #500
Conversation
| return | ||
| } | ||
| for _, t := range targets { | ||
| rekorPubKey, err := cryptoutils.UnmarshalPEMToECDSAKey(t.Target) |
There was a problem hiding this comment.
Would UnmarshalPEMToPublicKey work, or do we make more assumptions that the Rekor key is an ECDSA key?
There was a problem hiding this comment.
Wow, I lost track of this comment -- yes! The methods that use Rekor public keys expect ecdsa keys: https://github.com/sigstore/cosign/blob/890cec1f43a8ec0754e0dd5a5d120847b63b6c4e/pkg/cosign/verify.go#L818
There was a problem hiding this comment.
Just curious, long-term, how hard would it be to remove the ECDSA requirement?
Signed-off-by: Asra Ali <asraa@google.com> update Signed-off-by: Asra Ali <asraa@google.com>
|
ping @haydentherapper or maybe this should just go in an internal cosign package? |
|
I'd prefer this either live in Rekor or sigstore/sigstore. Given it's intertwined with TUF, I think sigstore/sigstore in the best option for now. Long term, I think tlog verification should live in Rekor, certificate verification in Fulcio, TUF and crypto/signature/PEM/etc functions in sigstore/sigstore, OCI in Cosign. |
| return | ||
| } | ||
| for _, t := range targets { | ||
| rekorPubKey, err := cryptoutils.UnmarshalPEMToECDSAKey(t.Target) |
There was a problem hiding this comment.
Just curious, long-term, how hard would it be to remove the ECDSA requirement?
| @@ -55,6 +55,19 @@ func UnmarshalPEMToPublicKey(pemBytes []byte) (crypto.PublicKey, error) { | |||
| return x509.ParsePKIXPublicKey(derBytes.Bytes) | |||
| } | |||
|
|
|||
| // UnmarshalPEMToECDSAKey converts a PEM-encoded byte slice into an *ecdsa.PublicKey. | |||
| func UnmarshalPEMToECDSAKey(pemBytes []byte) (*ecdsa.PublicKey, error) { | |||
There was a problem hiding this comment.
Do you think we should make this a private function of rekorpubs? I'd prefer to encourage package users to use the more generic PEM to crypto.PublicKey method.
|
|
||
| // GetRekorPubs returns a map of rekor public keys keyed by rekor log ID. Each key contains | ||
| // the ecdsa public key of the log and the status of the log (e.g. Active, Inactive). | ||
| func GetRekorPubs() (map[string]RekorPubKey, error) { |
There was a problem hiding this comment.
We should also document that this caches the public keys. This could be an issue if used by a server that never restarts and never would fetch the latest keys for example.
Do you think we should have two functions, one for caching and one that doesn't cache?
|
@asraa Good to close in favor of sigstore-go? |
sigstore#500) Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Signed-off-by: Asra Ali asraa@google.com
Summary
I expect that with this method, we can now set sign/verify opts to include RekorPubKeys, so that people can define this themselves when they cosign as a library. This is how the fulcio roots works as well.
Ticket Link
Fixes
Release Note